In brief
Following the issuance of the first version of the Draft Decree on Personal Data Protection (“Draft Decree”) in 2019, on 9 February 2021, the Ministry of Public Security (MPS) released the second version to collect public opinions until 9 April 2021.
This updated draft has a more robust set of rules regulating specific rights of data subjects, cross-border transfer of data, and processing of sensitive personal data. Noncompliance may subject stakeholders to temporary suspension of operation, and/or revocation of permission for cross-border data transfer in addition to monetary fines.
Key takeaways
- The covered subjects would include every agency, organization and individual that engage in activities relating to personal data.
- Personal data is now categorized into two types: basic and sensitive.
- De-identification and anonymization are introduced as part of the approach to protect the data subjects’ identities.
- A personal data protection committee (“PDP Committee“) will be established to oversee and ensure compliance of the covered subjects.
- Personal data processors must ensure compliance with the requirements on: (i) consent of data subject; (ii) notification to data subjects; (iii) registration with the PDP Committee; (iv) application of measures for personal data protection; and (v) issuance of personal data protection regulations.
- A child’s age must be verified and the consent of their parents or guardian must be obtained prior to the processing of their personal data.
- A maximum fine of 5% of the total revenue generated in Vietnam can be imposed in case of a repeat violation.